Avoid signed integer overflow due to unary negation

The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes

oss-fuzz #49944

with/ok jsing

1 files changed, 8 insertions, 12 deletions

diff --git a/lib/libcrypto/asn1/t_x509.c b/lib/libcrypto/asn1/t_x509.c
index abcce54366a..b2fd80b559b 100644
--- a/lib/libcrypto/asn1/t_x509.c
+++ b/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.38 2022/08/10 11:15:08 tb Exp $ */
+/* $OpenBSD: t_x509.c,v 1.39 2022/08/10 16:51:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,7 +118,6 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 	X509_CINF *ci;
 	ASN1_INTEGER *bs;
 	EVP_PKEY *pkey = NULL;
-	const char *neg;
 
 	if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
 		mlch = '\n';
@@ -155,18 +154,15 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 		l = -1;
 		if (bs->length <= (int)sizeof(long))
 			l = ASN1_INTEGER_get(bs);
-		if (l != -1) {
-			if (bs->type == V_ASN1_NEG_INTEGER) {
-				l = -l;
-				neg = "-";
-			} else
-				neg = "";
-			if (BIO_printf(bp, " %s%lu (%s0x%lx)\n",
-			    neg, l, neg, l) <= 0)
+		if (l >= 0) {
+			if (BIO_printf(bp, " %ld (0x%lx)\n", l, l) <= 0)
 				goto err;
 		} else {
-			neg = (bs->type == V_ASN1_NEG_INTEGER) ?
-			    " (Negative)" : "";
+			const char *neg = "";
+
+			if (bs->type == V_ASN1_NEG_INTEGER)
+				neg = " (Negative)";
+
 			if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0)
 				goto err;
 			for (i = 0; i < bs->length; i++) {